jianzzha · May 12, 2021 20:38
diff --git a/gistfile1.txt b/gistfile1.txt
 ### update /etc/pki/tls/openssl.cnf and update this section
 [ v3_ca ]
 subjectAltName=IP:192.168.222.1

 ### create self cert
 sudo mkdir -p /opt/registry/{auth,certs,data}

 host_fqdn=192.168.222.1
 cert_c="US"
 cert_s="Massachussets"
 cert_l="Boston"
 cert_o="Red Hat, Inc"
 cert_ou="Engineering"
 cert_cn=192.168.222.1

 sudo openssl req \
        -newkey rsa:4096 \
        -nodes \
        -sha256 \
        -keyout /opt/registry/certs/domain.key \
        -x509 \
        -days 365 \
        -out /opt/registry/certs/domain.crt \
        -subj "/C=${cert_c}/ST=${cert_s}/L=${cert_l}/O=${cert_o}/OU=${cert_ou}/CN=${cert_cn}"
        
 ### trus this self signed cert, so curl will not complain
 cp /opt/registry/certs/domain.crt /etc/pki/ca-trust/source/anchors/
 update-ca-trust enable
 update-ca-trust extract

 ### let docker trust this self signed cert
 mkdir -p /etc/containers/certs.d/192.168.222.1:5000
 cp /opt/registry/certs/domain.crt /etc/containers/certs.d/192.168.222.1:5000/

 ### create http user: openshift , password: redhat
 yum -y install  httpd httpd-tools
 mkdir -p /opt/registry/auth/
 htpasswd -bBc /opt/registry/auth/htpasswd openshift redhat

 ### create local volume for registry
 mkdir /var/registry_vol

 ### start registry container
 podman run -d  --privileged -p 5000:5000  --name registry \
       -e "REGISTRY_AUTH=htpasswd" -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
       -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
       -v /var/registry_vol:/var/lib/registry -v /opt/registry/auth:/auth -v /opt/registry/certs:/certs \
       -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
       -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
       docker.io/library/registry:2
       
 ### list what's in the registry
 curl -u openshift:redhat -v -X GET https://192.168.222.1:5000/v2/_catalog

 ### upload image
 podman login -u openshift -p redhat 192.168.222.1:5000
 podman push 192.168.222.1:5000/flexran

 ### make the cert part of the ocp install 
 echo "additionalTrustBundle: |" >> install-config.yaml
 sed -e 's/^/  /' /opt/registry/certs/domain.crt >> install-config.yaml

 ### Or on an existing cluster
 oc create configmap registry-cas -n openshift-config --from-file=192.168.222.1..5000=/opt/registry/certs/domain.crt 
 oc patch image.config.openshift.io/cluster --patch '{"spec":{"additionalTrustedCA":{"name":"registry-cas"}}}' --type=merge

 ### attach the username/password secret to the service account
 oc create secret docker-registry local-registry-secret --docker-server=192.168.222.1:5000 --docker-username=openshift --docker-password=redhat
 oc secrets link default local-registry-secret --for=pull
	### update /etc/pki/tls/openssl.cnf and update this section
	[ v3_ca ]
	subjectAltName=IP:192.168.222.1

	### create self cert
	sudo mkdir -p /opt/registry/{auth,certs,data}

	host_fqdn=192.168.222.1
	cert_c="US"
	cert_s="Massachussets"
	cert_l="Boston"
	cert_o="Red Hat, Inc"
	cert_ou="Engineering"
	cert_cn=192.168.222.1

	sudo openssl req \
	-newkey rsa:4096 \
	-nodes \
	-sha256 \
	-keyout /opt/registry/certs/domain.key \
	-x509 \
	-days 365 \
	-out /opt/registry/certs/domain.crt \
	-subj "/C=${cert_c}/ST=${cert_s}/L=${cert_l}/O=${cert_o}/OU=${cert_ou}/CN=${cert_cn}"

	### trus this self signed cert, so curl will not complain
	cp /opt/registry/certs/domain.crt /etc/pki/ca-trust/source/anchors/
	update-ca-trust enable
	update-ca-trust extract

	### let docker trust this self signed cert
	mkdir -p /etc/containers/certs.d/192.168.222.1:5000
	cp /opt/registry/certs/domain.crt /etc/containers/certs.d/192.168.222.1:5000/

	### create http user: openshift , password: redhat
	yum -y install httpd httpd-tools
	mkdir -p /opt/registry/auth/
	htpasswd -bBc /opt/registry/auth/htpasswd openshift redhat

	### create local volume for registry
	mkdir /var/registry_vol

	### start registry container
	podman run -d --privileged -p 5000:5000 --name registry \
	-e "REGISTRY_AUTH=htpasswd" -e "REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm" \
	-e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
	-v /var/registry_vol:/var/lib/registry -v /opt/registry/auth:/auth -v /opt/registry/certs:/certs \
	-e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
	-e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
	docker.io/library/registry:2

	### list what's in the registry
	curl -u openshift:redhat -v -X GET https://192.168.222.1:5000/v2/_catalog

	### upload image
	podman login -u openshift -p redhat 192.168.222.1:5000
	podman push 192.168.222.1:5000/flexran

	### make the cert part of the ocp install
	echo "additionalTrustBundle: \|" >> install-config.yaml
	sed -e 's/^/ /' /opt/registry/certs/domain.crt >> install-config.yaml

	### Or on an existing cluster
	oc create configmap registry-cas -n openshift-config --from-file=192.168.222.1..5000=/opt/registry/certs/domain.crt
	oc patch image.config.openshift.io/cluster --patch '{"spec":{"additionalTrustedCA":{"name":"registry-cas"}}}' --type=merge

	### attach the username/password secret to the service account
	oc create secret docker-registry local-registry-secret --docker-server=192.168.222.1:5000 --docker-username=openshift --docker-password=redhat
	oc secrets link default local-registry-secret --for=pull